[dns-operations] [Ext] Re: (struct DNSSEC_DNSKEY_RR *) Exponent lengths

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Aug 10 12:43:42 UTC 2018

> On Aug 10, 2018, at 7:00 AM, Tony Finch <dot at dotat.at> wrote:
> All the common tools use 65537 by default - BIND dnssec-keygen,
> ldns-keygen, OpenSSL genrsa, OpenSSH ssh-keygen, gpg ... as a hedge
> against another padding screwup like CVE-2006-4339.

Yes, Adam's confidence that the issue is behind us, and won't come
back may be too optimistic given the possibility of some resolver
using a bespoke crypto library that never got the message.  On
the other hand, should we miss out on gaining a noticeable factor
in resolver throughput to make sure that a tiny fraction of oddball
resolvers are safe?  Perhaps exponent=3 is the better tradeoff?

Of course if the future (barring a sudden QC breakthrough) is EdDSA
(and perhaps online signing), then the choice of RSA exponents is
moot.  Packet sizes are a more pressing issue than CPU bandwidth.


More information about the dns-operations mailing list